Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55597

CVE-2026-55597: ImageMagick Buffer Overflow Vulnerability

CVE-2026-55597 is a heap buffer overflow vulnerability in ImageMagick's JP2 encoder that allows attackers to overwrite memory. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-55597 Overview

CVE-2026-55597 is a heap buffer overflow vulnerability in ImageMagick, the widely used open-source image editing and manipulation library. The flaw resides in the JP2 (JPEG 2000) encoder and stems from incorrect handling of arguments, resulting in a heap buffer over-write during image processing. All versions prior to 7.1.2-26 are affected. The vulnerability was fixed in version 7.1.2-26. Exploitation requires local access and user interaction, such as processing a maliciously crafted image, and primarily impacts application availability.

Critical Impact

Processing a crafted image with a vulnerable ImageMagick build triggers a heap buffer over-write in the JP2 encoder, causing memory corruption and application crashes.

Affected Products

  • ImageMagick versions prior to 7.1.2-26
  • Applications and services embedding vulnerable ImageMagick builds for JP2 encoding
  • Linux distributions and container images packaging affected ImageMagick releases

Discovery Timeline

  • 2026-07-01 - CVE-2026-55597 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-55597

Vulnerability Analysis

The vulnerability affects the JP2 encoder path within ImageMagick. When the encoder receives improperly validated arguments, it miscalculates buffer boundaries and writes beyond an allocated heap region. The condition is classified under [CWE-682] (Incorrect Calculation), reflecting a computation error in size or offset handling rather than a missing check on user input alone.

The issue is exploitable locally when a user or automated pipeline invokes ImageMagick to convert or write a JP2 output file. Because the write occurs on the heap, attackers can influence adjacent allocations to corrupt program state, most reliably producing a crash and denial of service. The impact profile emphasizes availability, with confidentiality and integrity impacts not scored.

Root Cause

The root cause is an incorrect calculation in argument handling inside the JP2 encoder. The encoder does not correctly reconcile input dimensions, channel counts, or component parameters with the size of the destination heap buffer. When encoding proceeds, the writes cross the intended boundary and overwrite adjacent heap memory.

Attack Vector

An attacker delivers a crafted image or supplies malicious parameters to a workflow that encodes output as JP2 using ImageMagick. A local user must trigger the conversion, for example through convert input.ext output.jp2 or an application feature that reaches the JP2 encoder. Server-side image processing pipelines that accept user-supplied files and invoke ImageMagick locally are also exposed.

No verified public exploit code is available. The vulnerability is described in the GitHub Security Advisory GHSA-c4v7-w88g-m6c4.

Detection Methods for CVE-2026-55597

Indicators of Compromise

  • Unexpected crashes of processes invoking magick, convert, or applications linked against libMagickCore when producing JP2 output
  • Core dumps or ASan reports referencing the JP2 encoder call path in ImageMagick
  • Presence of ImageMagick binaries or libraries reporting versions earlier than 7.1.2-26

Detection Strategies

  • Inventory installed ImageMagick versions across endpoints, servers, and container images and flag any build earlier than 7.1.2-26
  • Enable AddressSanitizer or heap protection during testing to surface heap over-write conditions in JP2 encoding workflows
  • Review application logs for repeated abnormal terminations of image conversion processes handling untrusted inputs

Monitoring Recommendations

  • Monitor process exit codes and segmentation faults for ImageMagick-related binaries in production pipelines
  • Alert on new file uploads targeting image processing endpoints followed by process crashes within a short window
  • Track package manager events that install or update ImageMagick to verify patched versions are deployed

How to Mitigate CVE-2026-55597

Immediate Actions Required

  • Upgrade ImageMagick to version 7.1.2-26 or later across all systems, containers, and dependent applications
  • Audit build pipelines and third-party software bundles for embedded vulnerable ImageMagick versions
  • Restrict local invocation of ImageMagick on untrusted inputs until patching completes

Patch Information

The issue is fixed in ImageMagick version 7.1.2-26. Refer to the upstream GitHub Security Advisory GHSA-c4v7-w88g-m6c4 for the fix commit and release details. Redistribute or rebuild container images and downstream packages after applying the fixed version.

Workarounds

  • Disable the JP2 coder in the ImageMagick policy.xml file if patching cannot be performed immediately
  • Avoid encoding output to the JP2 format when handling untrusted or attacker-influenced inputs
  • Sandbox ImageMagick execution with restricted user privileges, seccomp, or containerization to limit blast radius from crashes
bash
# policy.xml workaround - block JP2 encoding until upgrade to 7.1.2-26
# Add inside the <policymap> element of /etc/ImageMagick-7/policy.xml
<policy domain="coder" rights="none" pattern="JP2" />
<policy domain="coder" rights="none" pattern="JPC" />
<policy domain="coder" rights="none" pattern="J2K" />

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.